Latest jailbreak shows it is time to secure mobile commerce
By David Eads
Mobile commerce should get used to security breaches – a sign of mobile going mainstream.
The mobile ecosystem needs to develop security strategies like the computing industry did in response to viruses and phishing.
The federal government recently declared phone jail-breaking legal. Jail-breaking is the process for unlocking phones, such as the iPhone, to do things that Apple and the carriers restrict, including changing to a different carrier or turning an iPhone into a WiFi hotspot.
While jail-breaking unlocks exciting additional functionality, it also increases the risk of a malicious attack.
IPhone jail-breaking has become so mature that it now only requires the swipe of a finger after browsing to a particular Web site at http://www.jailbreakme.com.
Fortunately, the iPhone developer team – the de facto jailbreak providers – seems to be using their skills for good rather than evil. However, the simplicity of the current process exposes an extremely dangerous vulnerability in the iPhone and, by extension, mobile commerce.
There is no doubt that mobile is growing rapidly. We have seen mobile banking adoption across the industry grow 20 percent per quarter over the last year. However, improving consumer perception of mobile security will drive future adoption.
“Respondents consistently cite security concerns a key reason for not choosing to use mobile technology,” said Tom Wills of Javelin Strategy & Research.
“Studies over the last two years have held steady at about 42 percent to 43 percent citing security concerns as reasons for not using mobile.”
The latest jailbreak process opens up the possibility that bad guys could jailbreak and infect victims’ phones by simply visiting a Web site.
Once infected, the bad guys could potentially have ongoing access to confidential information on the phone, including how to access financial accounts.
Highly publicized damage from such an attack could stall mobile adoption across the industry in addition to inflicting significant financial losses.
Viruses, phishing attacks and fraud, in general, arose as computers and the Internet went mainstream.
Now that mobile phones increasingly have our attention, fraudsters see the same economics as mobile marketers, and have turned their attention to mobile devices.
Like many readers here, my livelihood depends upon the success of mobile commerce. I have a vested interest in the continued success of mobile commerce. Therefore, I also have a vested interest in mobile security.
The entire mobile community has a responsibility to educate customers on safe practices and keep mobile security one step ahead of the bad guys.
Attacks will evolve continuously. Companies will face difficult challenges to protect themselves and customers.
Security best practices developed from ecommerce experiences must be adapted for mobile, and organizations must stay vigilant for emerging threats unique to mobile.
Platform developers such as Apple, Google and the wireless carriers also have responsibilities to stay on top of the latest exploits and provide a malware protection framework for mobile commerce.
With the current system, application providers cannot protect themselves because platforms such as the iPhone lack – and, in some cases, actively restrict – methods to detect and fix malware infections.
For example, there is no way to run virus protection on an unjailbroken iPhone. But the very risk to users is that a hacker could trigger the jailbreak at seemingly any time. Users need the ability to determine whether their phone has been compromised.
Similarly, the Google Android application developer identity verification lacks the strength of the Apple application process.
Android needs a strong trusted identity authorization and validation system to make it more difficult for criminals to masquerade as legitimate businesses and malware to masquerade as legitimate applications.
Strong security will ensure mobile thrives. As mobile commerce goes mainstream it becomes simply commerce.
It is already unthinkable to abandon using applications with sensitive information on our phones. We cannot go back to not using mobile banking, mobile shopping or even viewing confidential email on our phones.
Mobile commerce must be secured. Mobile platform vendors need to help companies protect themselves and their common customer.
David Eads is CEO of Mobile Strategy Partners, Johns Creek, GA. Reach him at [email protected].